The Privacy Rule issued by U.S. Department of Health and Human Services (“HHS”)
Goal – strikes a balance between protecting individuals’ health information and allowing/permiting the flow of health information needed to provide quality health care.
Regulates – address the use and disclosure of individuals’ health information – called “protected health information” by organizations subject to the Privacy Rule called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used.
The HIPAA Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs). The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information.
Personal health information or protected health information (PHI)
Refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Requirements of PHI
- Any health information information, whether oral or recorded in any form or medium
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual or the past, present, or future payment for the provision of health care to an individual:
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual
HIPAA – Ignorance of the law is NO defence for being out of compliance The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).
HIPAA violations
- Four categories of violations that reflect increasing levels of culpability
- Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation
- A maximum penalty amount of $1.5 million for all violations of an identical provision
Penalties for HIPAA violations
- Applies to both covered entities and individuals
- Determined by the Office for Civil Rights and by state Attorney Generals
- is generally not be exclusively financial
- can result in civil and criminal penalties
- progressive disciplinary actions can include termination
- covered entities include healthcare providers, health plans, healthcare clearinghouses and all other CEs – including Business Associates (BAs) of CEs
HIPAA Security Rule – Need for HIPAA Security Rule
- Ensuring implementation of appropriate security safeguards and protective measures for electronic health care information that may be at risk
- Protecting an individual’s health information, while permitting the appropriate access and use of that information, promoting the use of electronic health information in the industry
The Security Rule applies only to electronic protected health information (ePHI), ensuring the data’s.
- Confidentiality – EPHI is accessible only by authorized people and processes
- Integrity – EPHI is not altered or destroyed in an unauthorized manner
- Availability – EPHI can be accessed as needed by an authorized person
Who needs to comply with Security Rule?
HIPAA – covered entities and and business associates of covered entities who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
HIPAA – covered entities are:
- Covered Health Care Providers – Any provider of medical or other health care services or supplies who transmits any health information in electronic form
- Health care clearinghouses – A public or private entity, that process health information from nonstandard data format into standard data elements or vice-versa. Includes billing service, repricing company, community health management information system or community health information system
- Health care providers – A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care
What makes up Security Rule?
There are 3 parts of the Security Rule that covered entities must know about:
- Physical safeguards – includes mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups
- Technical safeguards – the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted
- Administrative safeguards – includes items such assignment or delegation of security responsibility to an individual and security training requirements
